Naushad Kasu

RSA NetWitness Log & Network Parser Meta Mapping

Blog Post created by Naushad Kasu Employee on Apr 3, 2019

Often times, Administrators and Content Managers alike need more information regarding their current parser status (both Logs and Network [formerly Packets]). There is an older, fancier interface for Log parser meta keys located here:

https://community.rsa.com/community/products/netwitness/blog/2017/11/13/rsa-meta-dictionary-tool

The script in this blog post is a bit more real-time and allows you to gain some additional visibility into your meta keys.

 

Pre-Requisites

 

Please ensure you have run the ssh-propagate.sh on your SA Server (10.x) or NW Server / Node0 (v11). The script requires access to downstream services using SCP for the log parsing functionality.

 

Synopsis

 

Log Parser -> Meta Key Mapping:
When run in Log mode with a specific parser as a parameter, this will output all of the meta keys used in that parser. It will also output the format and whether that key is "Passed to the Concentrator", that is, if the key has flag set to is Transient (not passed to Concentrator in the session) or None (passed to the Concentrator).

 

Network Parser -> Meta Key Mapping:
When run in Network mode with IP of the Network Decoder, will output all of the Enabled parsers with its respective keys.

White = Enabled
Yellow = Transient
Red = Disabled

 

Runtime

 

To run in Log mode:
Example: ./get-parser-keys.py -l <PARSER NAME> -i <LOG DECODER IP>
Example: ./get-parser-keys.py -l rhlinux -i 192.168.1.113

 

To run in Network mode:
Example: ./get-parser-keys.py -n -i <NETWORK DECODER IP>
Example: ./get-parser-keys.py -n -i 192.168.1.112


Sample Output

 

Log Parser -> Meta Key Mapping

 


Network Parser -> Meta Key Mapping

 

Attachments

Outcomes